ID

VAR-201905-0239


CVE

CVE-2019-1724


TITLE

Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Router Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-003885

DESCRIPTION

A vulnerability in the session management functionality of the web-based interface for Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to hijack a valid user session on an affected system. An attacker could use this impersonated session to create a new user account or otherwise control the device with the privileges of the hijacked session. The vulnerability is due to a lack of proper session management controls. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted device. A successful exploit could allow the attacker to take control of an existing user session on the device. Exploitation of the vulnerability requires that an authorized user session is active and that the attacker can craft an HTTP request to impersonate that session. Cisco Small Business RV320 is a VPN router of Cisco Company in the United States. This issue is being tracked by Cisco bug ID CSCvn77859, CSCvn79158. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

Trust: 2.52

sources: NVD: CVE-2019-1724 // JVNDB: JVNDB-2019-003885 // CNVD: CNVD-2019-33822 // BID: 108139 // VULHUB: VHN-149466

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-33822

AFFECTED PRODUCTS

vendor:ciscomodel:rv325 dual wan gigabit vpn routerscope:eqversion:1.3.1.12

Trust: 1.0

vendor:ciscomodel:rv320 dual gigabit wan vpn router softwarescope:eqversion:1.3.1.12

Trust: 1.0

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope: - version: -

Trust: 0.8

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope: - version: -

Trust: 0.8

vendor:ciscomodel:small business rv320scope:ltversion:1.4.2.20

Trust: 0.6

vendor:ciscomodel:small business rv325scope:ltversion:1.4.2.20

Trust: 0.6

vendor:ciscomodel:small business rv series routersscope:eqversion:1.3.1.12

Trust: 0.3

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope:eqversion:1.4.2.19

Trust: 0.3

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope:eqversion:1.4.2.18

Trust: 0.3

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope:eqversion:1.4.2.17

Trust: 0.3

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope:eqversion:1.4.2.16

Trust: 0.3

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope:eqversion:1.4.2.15

Trust: 0.3

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope:eqversion:1.3.1.12

Trust: 0.3

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope:eqversion:1.4.2.19

Trust: 0.3

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope:eqversion:1.4.2.18

Trust: 0.3

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope:eqversion:1.4.2.17

Trust: 0.3

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope:eqversion:1.4.2.16

Trust: 0.3

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope:eqversion:1.4.2.15

Trust: 0.3

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope:eqversion:1.3.1.12

Trust: 0.3

vendor:ciscomodel:small business rv series routersscope:neversion:1.4.2.20

Trust: 0.3

vendor:ciscomodel:rv325 dual gigabit wan vpn routerscope:neversion:1.4.2.20

Trust: 0.3

vendor:ciscomodel:rv320 dual gigabit wan vpn routerscope:neversion:1.4.2.20

Trust: 0.3

sources: CNVD: CNVD-2019-33822 // BID: 108139 // JVNDB: JVNDB-2019-003885 // NVD: CVE-2019-1724

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-1724
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2019-1724
value: HIGH

Trust: 1.0

NVD: CVE-2019-1724
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-33822
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201905-053
value: HIGH

Trust: 0.6

VULHUB: VHN-149466
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-1724
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-33822
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-149466
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ykramarz@cisco.com: CVE-2019-1724
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

nvd@nist.gov: CVE-2019-1724
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2019-33822 // VULHUB: VHN-149466 // JVNDB: JVNDB-2019-003885 // CNNVD: CNNVD-201905-053 // NVD: CVE-2019-1724 // NVD: CVE-2019-1724

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-149466 // JVNDB: JVNDB-2019-003885 // NVD: CVE-2019-1724

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-053

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201905-053

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003885

PATCH

title:cisco-sa-20190501-sbr-hijackurl:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-sbr-hijack

Trust: 0.8

title:Patch for Cisco Small Business RV320 and RV325 Authorization Issue Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/183029

Trust: 0.6

title:Cisco Small Business RV320 and RV325 Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92196

Trust: 0.6

sources: CNVD: CNVD-2019-33822 // JVNDB: JVNDB-2019-003885 // CNNVD: CNNVD-201905-053

EXTERNAL IDS

db:NVDid:CVE-2019-1724

Trust: 3.4

db:BIDid:108139

Trust: 1.0

db:JVNDBid:JVNDB-2019-003885

Trust: 0.8

db:CNNVDid:CNNVD-201905-053

Trust: 0.7

db:CNVDid:CNVD-2019-33822

Trust: 0.6

db:AUSCERTid:ESB-2019.1535

Trust: 0.6

db:VULHUBid:VHN-149466

Trust: 0.1

sources: CNVD: CNVD-2019-33822 // VULHUB: VHN-149466 // BID: 108139 // JVNDB: JVNDB-2019-003885 // CNNVD: CNNVD-201905-053 // NVD: CVE-2019-1724

REFERENCES

url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20190501-sbr-hijack

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-1724

Trust: 1.4

url:http://www.cisco.com/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1724

Trust: 0.8

url:https://web.nvd.nist.gov//vuln/detail/cve-2019-1724

Trust: 0.6

url:https://www.auscert.org.au/bulletins/80178

Trust: 0.6

url:https://www.securityfocus.com/bid/108139

Trust: 0.6

sources: CNVD: CNVD-2019-33822 // VULHUB: VHN-149466 // BID: 108139 // JVNDB: JVNDB-2019-003885 // CNNVD: CNNVD-201905-053 // NVD: CVE-2019-1724

CREDITS

security researchers Xie Wei and Wu Linjie .,Xie Wei and Wu Linjie.

Trust: 0.6

sources: CNNVD: CNNVD-201905-053

SOURCES

db:CNVDid:CNVD-2019-33822
db:VULHUBid:VHN-149466
db:BIDid:108139
db:JVNDBid:JVNDB-2019-003885
db:CNNVDid:CNNVD-201905-053
db:NVDid:CVE-2019-1724

LAST UPDATE DATE

2024-08-14T14:45:21.622000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-33822date:2019-09-29T00:00:00
db:VULHUBid:VHN-149466date:2019-10-09T00:00:00
db:BIDid:108139date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003885date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-053date:2019-05-14T00:00:00
db:NVDid:CVE-2019-1724date:2021-09-13T12:23:34.570

SOURCES RELEASE DATE

db:CNVDid:CNVD-2019-33822date:2019-09-29T00:00:00
db:VULHUBid:VHN-149466date:2019-05-03T00:00:00
db:BIDid:108139date:2019-05-01T00:00:00
db:JVNDBid:JVNDB-2019-003885date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-053date:2019-05-01T00:00:00
db:NVDid:CVE-2019-1724date:2019-05-03T17:29:00.673